trusted publisher (#264)

* minimumReleaseAgeの追加

* trusted publisherに対応

* update permission

Author: yoshiko-pg

.github/renovate.json5

@@ -9,4 +9,5 @@
   ],
   timezone: 'Asia/Tokyo',
   postUpdateOptions: ['yarnDedupeHighest'],
+  minimumReleaseAge: '7 days',
 }

.github/workflows/publish.yml

@@ -17,6 +17,10 @@ concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: true
 
+permissions:
+  id-token: write # Required for OIDC
+  contents: write # create tag and release
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -28,6 +32,11 @@ jobs:
           node-version-file: '.node-version'
           cache: 'yarn'
           registry-url: 'https://registry.npmjs.org'
+
+      # Trusted publishing requires npm CLI version 11.5.1 or later.
+      - name: Ensure npm >= 11.5.1
+        run: npm i -g npm@^11.5.1
+
       - name: Install dependencies
         run: yarn install --frozen-lockfile
 
@@ -37,9 +46,8 @@ jobs:
           git config user.name '[bot] github action (${{ github.workflow }})'
           git config user.email '[email protected]'
           yarn version --${{ github.event_name == 'schedule' && 'patch' || github.event.inputs.versionClass }}
+          yarn run publish
           echo "new_version=$(jq -r .version package.json)" >> "$GITHUB_OUTPUT"
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create release
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0

package.json

@@ -21,7 +21,7 @@
     "check:prettier": "prettier --check .",
     "format": "prettier --write .",
     "preversion": "echo \"Run check for version $npm_package_version\" && yarn run check",
-    "postversion": "git push --tags && git push origin main && yarn publish ."
+    "publish": "npm publish . && git push origin main && git push --tags"
   },
   "dependencies": {
     "stylelint": "16.24.0",